As many of you know, to swap tokens on Uniswap or any other DEX you have to first click the Approve button on MetaMask (this has to be done when adding liquidity too). May of you know about this, but I bet very few people know what approve function actually do. By doing approve you are giving permission to a smart contract to manage your crypto asset (you have to approve each token individually). This means that a smart contract can transfer your tokens without you even knowing it.
Most of you will say "OK, but I can't trade on Uniswap if I don't do approve first". That's true, but did you know that you can limit the amount of tokens a smart contract can access? For example, if you wanna swap 200 LINK for ETH, you have to approve smart contract to access your LINK tokens. By default MetaMask grants unlimited amount of LINK when a user is doing approve. But before you confirm that transaction you can click "Edit Permission" and choose "Custom Spend Limit" instead of default selection "Unlimited". That way you are granting a smart contract access only to a portion of your LINK holding instead of unlimited access.
I knew what I was doing when I click Approve button, but I thought that I have no choice if I wanna use Uniswap. But yesterday I stumbled upon
this article where a guy lost $140.000 worth of UNI because he granted a smart contract unlimited access to his UNI tokens. He provided liquidity on the UniCats yield farming platform. After a while user withdrew his UNI, but UniCats smart contract contained a backdoor which enable it's admin to access UNI even though it was in a user wallet.